the only problem with that scenario is that if you wanted to change the policies of the local machines without affecting other PCs on the network, or having to stick them into a separate OU.
But i suppose you could change the policies on one of the machines and the write a script that copies the
%windir%\system32\GroupPolicy folder from the fixed machine to all other machines you would like changed...
-----Original Message-----
From: Streeter, Joseph (WI) [mailto:Joseph.Streeter (at) wi.ngb.army (dot) mil [email concealed]]
Sent: Tue 9/9/2003 7:36 PM
To: 'focus-ms (at) securityfocus (dot) com [email concealed]'
Cc:
Subject: RE: Domain vs. Local security policy
It might be best to have the local GPO good and tight. That way there are
fewer polices that have to be applied across the network at start up and
logon. It's also the only policy to apply to local accounts on that machine.
If you want to back off any of the local policies you can override them with
the Domain or OU polcy.
-----Original Message-----
From: simonis [mailto:simonis (at) myself (dot) com [email concealed]]
Sent: Monday, September 08, 2003 1:26 PM
To: Brad Renfro
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Domain vs. Local security policy
Brad Renfro wrote:
>
> What is the residual risk of applying fairly strict domain wide security
> policies on a LAN but leaving local security policy pretty much the
default?
>
As far as I understand it, this would allow someone to remove the box
from the domain and operate under the looser local policy. A larger
But i suppose you could change the policies on one of the machines and the write a script that copies the
%windir%\system32\GroupPolicy folder from the fixed machine to all other machines you would like changed...
-----Original Message-----
From: Streeter, Joseph (WI) [mailto:Joseph.Streeter (at) wi.ngb.army (dot) mil [email concealed]]
Sent: Tue 9/9/2003 7:36 PM
To: 'focus-ms (at) securityfocus (dot) com [email concealed]'
Cc:
Subject: RE: Domain vs. Local security policy
It might be best to have the local GPO good and tight. That way there are
fewer polices that have to be applied across the network at start up and
logon. It's also the only policy to apply to local accounts on that machine.
If you want to back off any of the local policies you can override them with
the Domain or OU polcy.
-----Original Message-----
From: simonis [mailto:simonis (at) myself (dot) com [email concealed]]
Sent: Monday, September 08, 2003 1:26 PM
To: Brad Renfro
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Domain vs. Local security policy
Brad Renfro wrote:
>
> What is the residual risk of applying fairly strict domain wide security
> policies on a LAN but leaving local security policy pretty much the
default?
>
As far as I understand it, this would allow someone to remove the box
from the domain and operate under the looser local policy. A larger
question is of what benefit it is to you?
-Ds
------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security
Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
KaVaDo provides the first and only integrated Web application scanner and
firewall security suite that prevent Web applications attacks, the most
common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
------------------------------------------------------------------------
---
[ reply ]